blocks|key|2764540|text|type|unstyled|depth|inlineStyleRanges|entityRanges|data|entityMap^0^^$0|@$1|2|3|-4|4|5|6|B|7|@]|8|@]|9|$]]]|A|$]]

In fact, it gets even worse if <code>1+ActualAge</code> is less than <code>AgeToProve</code>, since in that case P would have to find a preimage for the hash in step 3!

But (even without actually following any of your links) I would guess that there's an implicit assumption that a legitimate P will not even attempt to run the protocol unless <code>ActualAge ≥ AgeToProve</code>, since proving that they're not quite old enough doesn't gain them anything anyway.

Of course, a malicious P could do whatever they want, including accidentally (or deliberately!) revealing the secret. But in general, we don't really care if a malicious party will do something that only hurts themselves.

<hr>

OK, let me extend my answer after reading the linked <a href="http://blog.stratumn.com/zkp-hash-chains/" rel="nofollow noreferrer">blog post</a> and <a href="https://cs.nyu.edu/~mwalfish/papers/vex-sigcomm13.pdf" rel="nofollow noreferrer">article</a>.

First of all, note that the blog post and the article actually describe different protocols with different participants and goals. Specifically, the protocol described in the blog post has three participants:

<ul>
<li>a prover P who wants to prove to the querier Q that their age $a$ (a non-negative integer number of years) meets or exceeds some minimum limit $q \ge 0$, without revealing how much older than the minimum limit they are;</li>
<li>a querier Q who wants to know whether P is at least $q$ years old; and</li>
<li>a government authority A that knows how old P is, is trusted by both P and Q, and can sign messages in such a way that Q can verify that they come from A, even if relayed by P.</li>
</ul>

In the protocol describe in the article, however, the authority A does not exist! Instead, in that protocol, P simply picks an arbitrary (non-negative integer) number $x$ and sends to Q a commitment to that number, such that they can later both:

<ul>
<li>prove to Q that the number $x$ they picked is greater than or equal to some threshold $q \ge 0$, without revealing how much greater it is; and</li>
<li>optionally, to release the exact value of $x$ and prove that this is indeed the number that they earlier committed to.</li>
</ul>

The reason this distinction matters is because the protocol outlined in the blog post actually contains some vestigial features (specifically, the way the initial seed for the hash chain is selected) that aren't required for the scenario described in it, and which could be left out to simplify the protocol! Those features are only needed if we want P to be able to also optionally prove their exact age to Q.

<hr>

To illustrate how the protocol is supposed to work, let me first start by describing a simpler protocol for the three-party case. Specifically, instead of all this messing around with hash chains, the authority A could simply issue the prover P with a bunch of separate signed "tickets", each stating that:

<blockquote>
 Authority A hereby certifies that P is at least $x$ years old.
</blockquote>

where $x$ ranges from zero to P's actual age $a$. Then, to prove that they're at least $q$ years old, P simply needs to select the ticket with $x = q$ and reveal it.

The problem with this scheme is that it requires A to sign a separate ticker for every year of P's life, and for P to store all of them. (Honestly, that might not be much of a problem in practice, since in real life $a$ rarely exceeds 100. But it could be a problem if we, say, decided to count P's age in days or even seconds instead of years.) It would be kind of nice if we could have a scheme where:

<ol>
<li>the authority A could send P a single ticket stating their actual age;</li>
<li>there was a way for P (or anybody else!) to decrement the age on the ticket, i.e. to take a valid ticket that says the P is at least $x$ years old, and obtain a valid ticket stating that P is at least $x-1$ years old;</li>
<li>there was no way for P or anybody else to reverse this operation, i.e. to increment the age on the ticket and have it still accepted as valid; and</li>
<li>the authority A could simply sign a single ticket stating that "P is at least 0 years old", knowing that anybody who applies the decrement operation to any other valid ticket (and only to a valid ticket!) for P's age enough times will eventually obtain the signed ticket and be able to verify the signature.</li>
</ol>

One way to achieve that is to include an arbitrary string of, say, 256 bits on each ticket, and have the decrement operation include hashing that string with SHA-256 and replacing it with the hash output. That is, A could send P a ticket stating:

<blockquote>
 Authority A hereby certifies that P is at least $a$ years old. Hash: $s$.
</blockquote>

and a signature for the ($a$ times decremented) ticket:

<blockquote>
 Authority A hereby certifies that P is at least 0 years old. Hash: $H^a(s)$.
</blockquote>

where $s$ is a random 256-bit string and $H^a$ denotes SHA-256 iterated $a$ times.

When P wants to prove to Q that they are at least $q \le a$ years old, they can then apply the decrement operation $a-q$ times to the original ticket sent by A to generate a ticket stating:

<blockquote>
 Authority A hereby certifies that P is at least $q$ years old. Hash: $H^{a-q}(s)$.
</blockquote>

and send it to Q along with the signature for the "at least 0 years old" ticket that they received from A. And Q, in turn, can apply the same decrement operation $q$ more times to re-derive the "at least 0 years old" ticket, and then verify that it matched A's signature.

The reason this works is because SHA-256 is (believed to be) preimage resistant. This means that, given a random string $s$, it's easy for anybody to calculate SHA-256($s$), but effectively impossible to find any string $r$ such that SHA-256($r$) = $s$. Thus, given the original ticket stating that they are (at least) $a$ years old (with the random hash $s$), P can easily obtain a valid ticket for any age $q \le a$, but not for any age greater than $a$.

<hr>

OK, but then why does the protocol described in the blog post (and in the VEX paper) have the authority A first choose a random "seed" string $r$, and then use $s$ = SHA-256($r$) as the hash on the first ticket sent to P?

Well, one reason why one might do that is to make sure that the hash on the first ticket really looks like a normal SHA-256 output. Sure, a random 256 bit string should be indistinguishable from a random SHA-256 output anyway, but we all know that in reality, random number generators can have subtle bugs that are often hard to test for. Hashing the initial random value gives a little extra assurance that nobody can find any way to distinguish the original ticket stating P's true age from any decremented derivatives of it.

But that doesn't mean that A would have to ever reveal their original random value $r$ to P. And indeed, the protocol as described above works perfectly well without it. So why, then, does the VEX paper (and the blog post based on it) seem to suggest revealing this $r$ to P? And doesn't doing so let P lie about their age by one year?

I'll answer the second question first. Knowing $r$ will not let P lie about their age, provided that:

<ul>
<li>the seed $r$ is deliberately chosen not to be a possible SHA-256 output, and</li>
<li>the querier Q always verifies that the hash on the ticket is a possible SHA-256 output before accepting it as a proof of age.</li>
</ul>

OK, but what good does revealing $r$ to P do? Well, it allows P to also choose to reveal (and prove!) their exact age to Q by disclosing $r$. Since, as noted above, $r$ must not look like a valid SHA-256 output, this means that Q can be sure that it's indeed the first value in the hash chain leading down to the "at least 0 year old" hash signed by A, and that therefore $s$ = SHA-256($r$) must be the hash corresponding to P's true age (at the time A generated the signature, anyway).

Basically, without this extra feature, P could always decide to lie about being younger than they actually are, and there would be no way for Q to detect that, at least not without extra infromation from A.

For the age checking protocol described in the blog post, this isn't really a particularly important feature. After all, if P needed to be able to prove their exact age, they could just get A to sign a separate message stating it. 

However, for the verifiable auction protocol described in the original VEX paper it is essential, because in that protocol there is no central authority A, and the provers instead get to freely choose the value they want to commit to. Without a way to reveal and verify the actual committed value at some point, the provers could just pick some huge value (say, one billion) at the start of the auction, and only later decide which "at least" queries they actually want to answer affirmatively.

<hr>

Anyway, it turns out that, while the protocol as designed (and reasonably interpreted) is sound as far as I can tell, the JS implementations linked from the blog post and from your question are both buggy.

In fact, both of them have two bugs: one of that allows the prover to generate a bogus proof for a minimum age one year greater than their true age (revealing their secret seed in the process), and another bug that allows the verifier to accept it. 

The first bug is simply that the prover should never attempt to generate a proof for a minimum age that they don't actually meet. A minimal fix to <a href="https://github.com/stratumn/hashchains/blob/master/index.html" rel="nofollow noreferrer">the code linked from the blog post</a> would be to add the following like to the beginning of the <code>challenge()</code> function:

<pre><code>function challenge(age, age_to_prove) {
 if (age &lt; age_to_prove) return null; // &lt;- ADD THIS LINE!
 Q = hashchain(S, Number(age)+1-Number(age_to_prove))
 document.getElementById("display_Q").innerHTML = Q
 return Q
}
</code></pre>

A similar bug is also present in the <code>prove()</code> function in <a href="https://repl.it/repls/SmartOccasionalQueries" rel="nofollow noreferrer">your code</a>, and can be fixed the same way.

The second bug is that, even if the prover (deliberately or by mistake) tries to use their initial hash chain seed as a proof of age, the prover must not accept it. The blog post does correctly note this in the "Soundness" section:

<blockquote>
 The exception to this is for $AgeToProve=ActualAge+1$, in which case Paula could just send $S$. However, as the format of $S$ is publicly known, a watchful verifier would detect the fraud [...]
</blockquote>

but the linked JS code doesn't actually include such a check. As a result, the verifier in the demo will happily accept the seed $S$ as bogus proof of age (and, due to the first bug, the prover will in fact respond with the seed if asked for a proof of a minimum age greater than their true age).

The blog post also uses a rather unfortunate choice for the format of the initial secret seed: 128 zero bits followed by 128 random bits, for a total of 256 bits. The reason this choice is bad is that it precisely matches the output bit length of SHA-256, making it theoretically possible (even if extremely unlikely) for a genuine SHA-256 output to match the format of the secret seeds. Literally any other choice of seed length (including just leaving out the 128 zero bits) would've avoided this issue.

Anyway, sticking with the poorly chosen seed format, a basic fix for the <code>verify()</code> function would be to add something like the following check at the top of it:

<pre><code>if (Q.length != 64 || Q.substr(0,32) == '00000000000000000000000000000000') {
 // this does not look like an SHA-256 output; verification failed!
 return null;
}
</code></pre>

Of course, if the format of the secret seed was changed so that it wasn't exactly 256 bits (= 64 hex digits) long, then the <code>.substr()</code> check could be removed. And also, of course, if the protocol was simplified (at the cost of removing the option for exact age verification) so that the prover never learned the secret seed to begin with, then this check would not even be necessary.

I came across this blog post <a href="http://blog.stratumn.com/zkp-hash-chains/" rel="noreferrer">http://blog.stratumn.com/zkp-hash-chains/</a> which provides a <code>Protocol to prove in zero-knowledge that an integer (such as age or balance) is greater than a known threshold.</code>

It is based on this paper: <a href="https://cs.nyu.edu/~mwalfish/papers/vex-sigcomm13.pdf" rel="noreferrer">Verifiable Auctions for Online Ad Exchanges</a>

The protocol is as follows:

<ol>
<li>A trusted central document authority that provides proof services. P has requested a secret <code>S</code> from this authority, for use in proving her age. The authority assigns a secret (256 bit) <code>S</code> to P. Let’s say P's <code>(S)</code> is:

<pre><code>0000000000000000000000000000000027ae41e4649b934ca495991b7852b855
</code></pre></li>
<li>The Authority then calculates a hash-chain one link greater than P's age:

<pre><code>EncryptedAge=HASH^{ActualAge+1} (S)
</code></pre></li>
<li>P also computes

<pre><code>Proof=HASH ^ {1+ActualAge−AgeToProve} (S)
</code></pre></li>
<li>P then sends to the other party: 

<ol>
<li>The Authority’s signed Proving Kit (which contains her EncryptedAge )</li>
<li>The Proof she calculated</li>
</ol></li>
<li>The party that needs to verify P's age does:

<ol>
<li>Extracts P's EncryptedAge from the Authority’s message</li>
<li>Computes:

<pre><code>VerifiedAge=HASH ^ {AgeToProve} (Proof)
</code></pre></li>
<li>Compares <code>VerifiedAge == EncryptedAge</code>. If equal then age is higher than age to verify.</li>
</ol></li>
</ol>

Here is the code in JavaScript to test above protocol: <a href="https://repl.it/repls/SmartOccasionalQueries" rel="noreferrer">https://repl.it/repls/SmartOccasionalQueries</a>

I think there is a flaw in the protocol, it occurs in this step:

<pre><code>Proof=HASH ^ {1+ActualAge−AgeToProve} (S)
</code></pre>

When <code>1+ActualAge</code> is equal to <code>AgeToProve</code>, then hash is not applied on <code>S</code>. 

<ol>
<li>It ends up sending the secret as Proof. <code>S</code> should have been maintained as secret.</li>
<li>It ends up computing that verified Age == encrypted age, where as it is not, example: <a href="https://repl.it/repls/OrderlyPalegreenScriptinglanguages" rel="noreferrer">https://repl.it/repls/OrderlyPalegreenScriptinglanguages</a></li>
</ol>

The below is example from the blog, with <code>Age = 19</code>, and <code>AgeToProof = 20</code>:

<blockquote>
 <a href="https://i.stack.imgur.com/mF1SH.png" rel="noreferrer"><img src="https://i.stack.imgur.com/mF1SH.png" alt="enter image description here"></a>
</blockquote>

Zero Knowledge Proof using hash chains - Is there a flaw in the algorithm?

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

教程

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云智能顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云AI代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

功能1上新10个字符

功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符功能2描述100个字符。

功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符功能2上新100个字符。

功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符功能5描述100个字符

功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符功能5上新100个字符

功能4上新

文章&问答评论现已支持表情

全新交互，全新视觉，新增快捷键、悬浮工具栏、高亮块等功能并同时优化现有功能，全面提升创作效率和体验

社区富文本编辑器全新改版！诚邀体验～ 

精选全网热门MCP server，让你的AI更好用 🚀

💥开发者 MCP广场重磅上线！

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

聚焦“写作效率、视觉美观与运行性能”三方面进行全面升级，为您提供更高效、稳定的创作环境

社区富文本&Markdown编辑器全新改版上线，欢迎大家体验!

诚挚邀请您参与本次调研，分享您的真实使用感受与建议。您的反馈至关重要，感谢您的支持与参与！

社区新版编辑器体验调研

我偶然看到一篇博客文章http://blog.stratumn.com/zkp-hash-chains/，它提供了一个Protocol to prove in zero-knowledge that an integer (such as age or balance) is greater than a known threshold.它是基于本文：可验证的网络广告交换方案。该议定书如下：提供证

问零知识证明使用哈希链-在算法中有缺陷吗？
EN

回答 1

Cryptography用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问零知识证明使用哈希链-在算法中有缺陷吗？EN